IN THE CLAIMS : 

Please CANCEL claims 11-12 and 21-22 without prejudice or disclaimer. 
Please AMEND claims 1-5, 8, 10, 13-15, and 17-20 as follows. 
Please ADD claims 23-69 as follows. 

1. (Currently Amended) A metho d comprising: for authenticating a terminal 
in a communication syst e m, the t e rminal comprising id e ntification m e ans for applying 
authentication functions to input data to form respons e data, and th e communication 
system being arrang e d to utilis e a first auth e ntication protocol for auth e ntication of th e 
t e rminal, wh e r e in an authentication functionality and th e t e rminal shar e chall e ng e data, 
th e terminal forms r e sponse data and a first key by applying th e auth e ntication functions 
to th e chall e ng e data by m e ans of the id e ntification m e ans, and returns th e r e spons e data 
to th e authentication functionality, and th e authentication functionality auth e nticates th e 
t e rminal by m e ans of the response data and can apply an auth e ntication function to th e 
challenge data to duplicate the first key; the method comprising; 

executing a second an authentication protocol^ wherein the terminal authentication 
protocol comprises authenticatos the 

authenticating an identity of a network entity and th e by a terminal in a 

communication system: 
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sharing a and th e network e ntity shar e a s e cond key between the terminal 
and the network entity for use in securing subsequent communications between 
the terminal and the network entity; and and subs e qu e ntly 

executing a-third -another authentication protocol comprising bv the st e ps of: 

sharing challenge data between the network entity and the terminal; 

forming at the terminal test data by at l e ast applying on e of th e an 
authentication function functions to the challenge data ; by m e ans of th e 
identification means; 

transmitting sending a message comprising terminal authentication 
data, from the terminal to the network entity; and 

determining^ based on the terminal authentication data, whether to 
provide the terminal with access to a service^ 

wherein m— the determining step the t e rminal is provid e d comprises 
providing the terminal w ith access to the service only i£ -when the terminal 
authentication data equals a predetermined function of at least the test data and the 
s e cond key. 

2. (Currently Amended) A method as claimed in claim 1, wherein the method 
comprises: further comprising: 

forming the test data by applying the authentication function to the challenge data 
at the authentication functionality; and 
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transmitting sending the test data from the authentication functionality to the 
network entity^ 



wherein the determining step-comprises forming network authentication data by 
applying the predetermined function to the test data and the key at the network entity a f 
and 

wherein m — the determining step -further comprises providing the terminal is 
provided w ith access to the service only i£ -when the terminal authentication data equals 
the network authentication data. 

3. (Currently Amended) A method as claimed in claim 1, wh e rein th e m e thod 
compris e s: further comprising: 



functionality; 

forming the test data by applying the authentication function to the challenge data 
at the authentication functionality; and 

forming network authentication data by applying the predetermined function to the 
test data and the key at the authentication functionality. 

4. (Currently Amended) A method as claimed in claim 3, further comprising: 



■and 




•sending the s e cond key from the network entity to the authentication 
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transmitting sending t he terminal authentication data from the network entity to 
the authentication functionality; and 

transmittin g sending, from the authentication functionality to the network entity, an 
indication of whether the terminal authentication data equals the network authentication 
data a t 
and 

wherein in-the determining step -comprises providing t he terminal is provid e d w ith 
access to the service only tf-when the indication is that the terminal authentication data 
equals the network authentication data. 

5. (Currently Amended) A method as claimed in claim 3, further comprising: 
transmitting sending the network authentication data from the authentication 

functionality to the network entity a f 
and 

wherein in-the determining step -comprises providing the terminal is provided with 
access to the service only i£ -when the indication is that the terminal authentication data 
equals the network authentication data. 

6. (Previously Presented) A method as claimed in claim 1, wherein the 
terminal authentication data is formed as a cryptographic checksum. 
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7. (Previously Presented) A method as claimed in claim 1, wherein the 
network entity is co-located with the authentication functionality. 

8. (Currently Amended) A method as claimed in claim 1, wherein 
authentication moans is an identity module of the terminal is configured to perform the 
authentication function . 

9. (Original) A method as claimed in claim 8, wherein the identity module is 
user-removable from the terminal. 

10. (Currently Amended) A method as claimed in claim 8, wherein the identity 
module is a StM -subscriber identity module or a USt Muniversal subscriber identity 
module . 

11-12. (Cancelled) 

13. (Currently Amended) A method as claimed in claim 4-8, wherein the 
authentication moans storos identitv module is configured to store a code and the 
authentication function comprises applying a cryptographic transformation applied to the 
code and the input data. 
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14. (Currently Amended) A method as claimed in claim 1, wherein the second 
authentication protocol is the -one of a pre-internet key exchange credential provisioning 
protocolP iG. th e PEAP a protected extensible authentication p rotocol or the EAP TTLS 
an extensible authentication p rotocol -tunneled transport layer security . 

15. (Currently Amended) A method as claimed in claim 1, wherein the 
challenge data and the response data are formed according to the EAP an extensible 
authentication protocol. 

16. (Previously Presented) A method as claimed in claim 1, wherein the said 
message is a dedicated authentication message. 

17. (Currently Amended) A method as claimed in claim 1, wherein the 
predetermined function is used for derivation of a session key to be used for one of 
encryption and/or authentication of communications between the terminal and the 
network entity. 

18. (Currently Amended) A communication system^ comprising: 

a terminal configured to apply authentication functions to input data to form 
response data: and 

a network entity configured to provide access to a service, 
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wherein the system is configured to perform an authentication method of executing an 
authentication protocol, wherein the authentication protocol comprises 

authenticating an identity of the network entity by the terminal in the 
system: 

sharing a key between the terminal and the network entity for use in 
securing subsequent communications between the terminal and the network entity; 
and 

executing another authentication protocol comprising 

sharing challenge data between the network entity and the terminal; 

forming at the terminal test data by applying an authentication 
function to the challenge data: 

sending a message comprising terminal authentication data from the 
terminal to the network entity; and 

determining, based on the terminal authentication data, whether to 
provide the terminal with access to a service; 

wherein the determining comprises providing the terminal with access to 
the service only when the terminal authentication data equals a predetermined 
function of at least the test data and the key. 

identification m e ans for applying authentication functions to input data to form 
r e spons e data, and th e communication syst e m b e ing arrang e d to utilis e a first 
authentication protocol for auth e ntication of the t e rminal, wher e in an auth e ntication 
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functionality and th e terminal shar e challeng e data, th e t e rminal forms r e sponse data and 
a first key by applying the authentication functions to the challeng e data by means of the 
identification moans, and returns the response data to the authentication functionality, and 
th e authentication functionality authenticates the terminal by means of the response data 
and can apply an authentication function to the challenge data to duplicate the first k e y; 
the system being arranged to perform an authentication method comprising the stops of: 
e xecuting a second authentication protocol wherein tho terminal auth e nticates th e identity 
of a network e ntity and the terminal and th e n e twork e ntity share a second key for us e in 
s e curing subsequent communications between tho terminal and tho network entity; and 
subsequently executing a third authentication protocol by tho stops of: 

sharing chall e nge data between the network entity and the terminal; 

forming at tho terminal tost data by at l e ast applying one of the authentication 

functions to the challenge data by means of the identification moans; 

transmitting a message comprising terminal authentication data, from th o terminal 

to the network entity; 

and determining based on tho terminal authentication data whether to provide tho 

t e rminal with access to a service; 

wherein in the determining stop th e terminal is provided with access to th e servic e 

only if tho terminal authentication data is consistent with th e network authentication data 
computed as a predetermined function of at loast tho tost data and the second koy. 
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1 9 . (Currently Amended) A communication syste m as claimed in claim 18, 
wherein the system is further configured to execute a linking protocol bv forming at the 
terminal secret session keys by at least applying a predetermined function to the test data 
using the shared key established in the another authentication protocol and forming at 
the network entity secret session keys by at least applying a predetermined function to the 
test data using the shared key established in the another authentication protocol 

wherein the secret session keys are configured to secure the subsequent 
communications between the terminal and some network element, compri s ing 

a t e rminal a network entity and an authentication functionality, tho terminal 
comprising identification means for applying an authentication function to input data to 
form response data, and the communication syst e m b e ing arrang e d to utilis e a first 
authentication protocol wherein tho terminal authenticates tho identity of a network entity 
and th e t e rminal and tho network e ntity shar e a k e y for use in s e curing subs e quent 
communications botwoon tho terminal and tho network entity; and tho communication 
system boing arranged to perform an authentication method comprising the st e ps of: 
executing a second authentication protocol for authentication of the terminal 

whoroin an authentication functionality supplies challenge data to th e terminal the 
t e rminal forms rosponso data and tost data by applying tho authentication function to tho 
challenge data by moans of tho identification means, and returns the response data to th e 
auth e ntication functionality, and the authentication functionality auth e nticat e s the 
t e rminal by moans of tho respons e data; and subsequently e xecuting a third linking 
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protocol by th e steps of forming at the t e rminal s e cr e t s e ssion k e ys by at l e ast applying a 
predetermined function to the s e cret tost data by moans of the shared k e y established in 
the first protocol; forming at the network entity s e cr e t session keys by at least applying a 
predetermin e d function to the secret tost data by means of the shar e d key established in 
the first protocol; wherein in the secret session keys arc used to secure the subsequent 
communication between the terminal and som e network element. 

20. (Currently Amended) A an authentication method as claimed in claim L 
further comprising: 

forming at the terminal secret session keys by at least applying a predetermined 
function to the test data using the shared key established in the another authentication 
protocol: and 

forming at the network entity secret session keys by at least applying a 
predetermined function to the test data using the shared key established in the another 
authentication protocol, 

wherein the secret session keys are configured to secure the subsequent 
communications between the terminal and a network element. 

for use in a communication system comprising a t e rminal, a n e twork entity and an 
auth e ntication functionality, th e t e rminal comprising identification m e ans for applying an 
auth e ntication function to input data to form response data, and the communication 
syst e m being arranged to utilise a first authentication protocolwhcrcin the terminal 
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authenticates th e identity of a network entity and the t e rminal and the network entity 
share a key for use in securing subsequent communications between the terminal and the 
n e twork entity; and the auth e ntication m e thod comprising the st e ps of: e x e cuting a 
se cond — authentication — protocol — for authentication — of th e — t e rminal, — wh e r e in — an 
auth e ntication functionality suppli e s challeng e data to th e t e rminal, th e t e rminal forms 
r e spons e data and t e st data by applying th e auth e ntication function to the chall e nge data 
by m e ans of the id e ntification m e ans, and r e turns the response data to th e auth e ntication 
functionality, and th e authentication functionality auth e nticat e s the t e rminal by means of 
the response data; and subsequently executing a third linking protocol by the steps of 
forming at the t e rminal s e cret s e ssion keys by at l e ast applying a pr e d e t e rmined function 
to th e s e cret t e st data by m e ans of th e shar e d k e y e stablished in th e first protocol; forming 
at th e n e twork e ntity s e cret session keys by at l e ast applying a pr e d e termin e d function to 
th e s e cret t e st data by m e ans of th e shar e d key e stablish e d in th e first protocol; wh e r e in in 
the secret session keys are used to secure the subs e quent communication betw e en the 
t e rminal and some n e twork e l e ment. 



21-22. (Cancelled) 



23. (New) A method as claimed in claim 1, further comprising: 
executing a third authentication protocol for authentication of the terminal 
comprising: 
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sharing between an authentication functionality and the challenge data; 

forming response data and another key at the terminal by applying the 
authentication function to the challenge data; 

sending the response data to the authentication functionality from the 
terminal; 

authenticating the terminal at the authentication functionality using the 
response data; and 

applying the authentication function to the challenge data to duplicate the 
another key. 

24. (New) A method as claimed in claim 23, wherein the third authentication 
protocol is an authentication and key agreement protocol or any protocol of the extensible 
authentication protocol family. 

25. (New) A method as claimed in claim 24, wherein the test data comprises 
one or both of an authentication and key agreement protocol integrity key value or an 
authentication and key agreement protocol cipher key value. 

26. (New) A method, comprising: 

executing an authentication protocol, wherein the authentication protocol 
comprises 
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authenticating an identity of a network entity by a terminal in a 
communication system, and 

receiving a key at the terminal from the network entity for use in securing 
subsequent communications between the terminal and the network entity; and 
executing another authentication protocol comprising 

receiving challenge data from the network entity at the terminal; 
forming at the terminal test data by applying an authentication 
function to the challenge data; 

sending a message comprising terminal authentication data from the 
terminal to the network entity; and 

receiving access to a service at the terminal following a 
determination of whether the terminal authentication data equals a 
predetermined function of at least the test data and the terminal key. 

27. (New) A method as claimed in claim 26, wherein the terminal 
authentication data is formed as a cryptographic checksum 



28. (New) A method as claimed in claim 26, wherein the network entity is co- 
located with the authentication functionality. 
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29. (New) A method as claimed in claim 26, wherein an identity module of the 
terminal is configured to perform the authentication function. 

30. (New) A method as claimed in claim 29, wherein the identity module is 
user-removable from the terminal. 

3 1 . (New) A method as claimed in claim 29, wherein the identity module is a 
subscriber identity module or a universal subscriber identity module. 

32. (New) A method as claimed in claim 29, wherein the identity module is 
configured to store a code and the authentication function comprises a cryptographic 
transformation applied to the code and the input data. 

33. (New) A method as claimed in claim 26, wherein the authentication 
protocol is one of a pre-internet key exchange credential provisioning protocol, a 
protected extensible authentication protocol or an extensible authentication protocol- 
tunneled transport layer security. 

34. (New) A method as claimed in claim 26, wherein the challenge data and 
the response data are formed according to an extensible authentication protocol. 
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35. (New) A method as claimed in claim 26, wherein the message is a 
dedicated authentication message. 

36. (New) A method, comprising: 

executing an authentication protocol, wherein the authentication protocol 
comprises 

sending an identity of a network entity for authentication by a terminal in a 
communication system; 

sending a key to the terminal from the network entity for use in securing 
subsequent communications between the terminal and the network entity; and 
executing another authentication protocol comprising 

sending challenge data from the network entity to the terminal for 
forming test data at the terminal by applying an authentication function to 
the challenge data; 

receiving a message comprising terminal authentication data from 
the terminal at the network entity; 

determining, based on the terminal authentication data, whether to 
provide the terminal with access to a service; and 

providing the terminal with access to the service only when the 
terminal authentication data equals a predetermined function of at least the 
test data and the key. 
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37. (New) A method as claimed in claim 36, wherein the terminal 
authentication data is formed as a cryptographic checksum. 

38. (New) A method as claimed in claim 36, wherein the network entity is co- 
located with the authentication functionality. 

39. (New) A method as claimed in claim 36, wherein an identity module of the 
terminal is configured to perform the authentication function. 

40. (New) A method as claimed in claim 39, wherein the identity module is 
user-removable from the terminal. 

4 1 . (New) A method as claimed in claim 39, wherein the identity module is a 
subscriber identity module or a universal subscriber identity module. 

42. (New) A method as claimed in claim 39, wherein the identity module is 
configured to store a code and the authentication function comprises a cryptographic 
transformation applied to the code and the input data. 
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43. (New) A method as claimed in claim 36, wherein the authentication 
protocol is one of a pre-internet key exchange credential provisioning protocol, a 
protected extensible authentication protocol or an extensible authentication protocol- 
tunneled transport layer security. 

44. (New) A method as claimed in claim 36, wherein the challenge data and 
the response data are formed according to an extensible authentication protocol. 

45. (New) A method as claimed in claim 36, wherein the message is a 
dedicated authentication message. 

46. (New) A method as claimed in claim 36, wherein the predetermined 
function is used for derivation of a session key to be used for one of encryption or 
authentication of the subsequent communications between the terminal and the network 
entity. 

47. (New) An apparatus, comprising: 

a processor configured to apply an authentication function to input data to form 
response data, and to execute an authentication protocol, 
wherein the authentication protocol comprises 
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authenticating an identity of a network entity by a terminal in a 
communication system, and 

receiving a key at the terminal from the network entity for use in securing 
subsequent communications between the terminal and the network entity; 
wherein the processor is further configured to execute another authentication 
protocol comprising 

receiving challenge data from the network entity at the terminal; 

forming at the terminal test data by applying an authentication function to 
the challenge data; 

sending a message comprising terminal authentication data from the 
terminal to the network entity; and 

receiving access to a service at the terminal following a determination of 
whether the terminal authentication data equals a predetermined function of at 
least the test data and the key. 

48. (New) An apparatus as claimed in claim 47, wherein the terminal 
authentication data is formed as a cryptographic checksum. 

49. (New) An apparatus as claimed in claim 47, wherein the network entity is 
co-located with the authentication functionality. 
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50. (New) An apparatus as claimed in claim 47, wherein an identity module of 
the terminal is configured to perform the authentication function. 

51. (New) An apparatus as claimed in claim 50, wherein the identity module is 
user-removable from the terminal. 

52. (New) An apparatus as claimed in claim 50, wherein the identity module is 
a subscriber identity module or a universal subscriber identity module. 

53. (New) An apparatus as claimed in claim 50, wherein the identity module is 
configured to store a code and the authentication function comprises a cryptographic 
transformation applied to the code and the input data. 

54. (New) An apparatus as claimed in claim 47, wherein the authentication 
protocol is one of a pre-internet key exchange credential provisioning protocol, a 
protected extensible authentication protocol or an extensible authentication protocol- 
tunneled transport layer security. 

55. (New) An apparatus as claimed in claim 47, wherein the challenge data 
and the response data are formed according to an extensible authentication protocol. 



-21 - 



Application No.: 10/528,161 



56. (New) An apparatus as claimed in claim 47, wherein the message is a 
dedicated authentication message. 

57. (New) An apparatus, comprising: 

a processor configured to execute an authentication protocol, wherein the 
authentication protocol comprises 

sending an identity of a network entity for authentication by a terminal in a 
communication system; and 

sending a key to the terminal from the network entity for use in securing 
subsequent communications between the terminal and the network entity; 
wherein the processor is further configured to execute another authentication 
protocol comprising 

sending challenge data from the network entity to the terminal for forming 
test data at the terminal by applying an authentication function to the challenge 
data; 

receiving a message comprising terminal authentication data, from the 
terminal at the network entity; 

determining, based on the terminal authentication data, whether to provide 
the terminal with access to a service; and 
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providing the terminal with access to the service only when the terminal 
authentication data equals a predetermined function of at least the test data and the 
key. 

58. (New) An apparatus as claimed in claim 57, wherein the terminal 
authentication data is formed as a cryptographic checksum. 

59. (New) An apparatus as claimed in claim 57, wherein the network entity is 
co-located with the authentication functionality. 

60. (New) An apparatus as claimed in claim 57, wherein an identity module of 
the terminal is configured to perform the authentication function. 

61. (New) An apparatus as claimed in claim 60, wherein the identity module is 
user-removable from the terminal. 

62. (New) An apparatus as claimed in claim 60, wherein the identity module is 
a subscriber identity module or a universal subscriber identity module. 
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63. (New) An apparatus as claimed in claim 60, wherein the identity module is 
configured to store a code and the authentication function comprises a cryptographic 
transformation applied to the code and the input data. 

64. (New) An apparatus as claimed in claim 57, wherein the authentication 
protocol is one of a pre-intemet key exchange credential provisioning protocol, a 
protected extensible authentication protocol or an extensible authentication protocol- 
tunneled transport layer security. 

65. (New) An apparatus as claimed in claim 57, wherein the challenge data 
and the response data are formed according to an extensible authentication protocol. 

66. (New) An apparatus as claimed in claim 57, wherein the message is a 
dedicated authentication message. 

67. (New) A computer program product embodied on a computer readable 
storage medium, the computer program product being configured to control a processor 
to perform a method comprising: 

executing an authentication protocol, wherein the terminal authentication protocol 
comprises 
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authenticating an identity of a network entity by a terminal in a 
communication system; 

sharing a key between the terminal and the network entity for use in 
securing subsequent communications between the terminal and the network entity; 
and 

executing another authentication protocol comprising 

sharing challenge data between the network entity and the terminal; 

forming at the terminal test data by applying an authentication 
function to the challenge data; 

sending a message comprising terminal authentication data, from the 
terminal to the network entity; and 

determining, based on the terminal authentication data, whether to 
provide the terminal with access to a service, 

wherein the determining comprises providing the terminal with access to 
the service only when the terminal authentication data equals a predetermined 
function of at least the test data and the key. 

68. (New) A computer program product embodied on a computer readable 
storage medium, the computer program product being configured to control a processor 
to perform a method comprising: 
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executing an authentication protocol, wherein the authentication protocol 
comprises 

authenticating an identity of a network entity by a terminal in a 
communication system, and 

receiving a key at the terminal from the network entity for use in securing 
subsequent communications between the terminal and the network entity; and 
executing another authentication protocol comprising 

receiving challenge data from the network entity at the terminal; 

forming at the terminal test data by applying an authentication 
function to the challenge data; 

sending a message comprising terminal authentication data from the 
terminal to the network entity; and 

receiving access to a service at the terminal following a 
determination of whether the terminal authentication data equals a 
predetermined function of at least the test data and the terminal key. 

69. (New) A computer program product embodied on a computer readable 
storage medium, the computer program product being configured to control a processor 
to perform a method comprising: 

executing an authentication protocol, wherein the authentication protocol 
comprises 
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sending an identity of a network entity for authentication by a terminal in a 
communication system; 

sending a key to the terminal from the network entity for use in securing 
subsequent communications between the terminal and the network entity; and 
executing another authentication protocol comprising 

sending challenge data from the network entity to the terminal for 
forming test data at the terminal by applying an authentication function to 
the challenge data; 

receiving a message comprising terminal authentication data from 
the terminal at the network entity; 

determining, based on the terminal authentication data, whether to 
provide the terminal with access to a service; and 

providing the terminal with access to the service only when the 
terminal authentication data equals a predetermined function of at least the 
test data and the key. 



-27- 



ApplicationNo.: 10/528,161 



